Boy howdy this one was good… but not quite good enough.
The back story – I am teaching a class on Content Management Systems. To help support the class, I registered several domains using the course name and number… cisy222.net, .us, .org, .com.
Getting ready for the class I went ahead and configured a multisite WordPress installation on cisy222.net (hosted here on the spareparts box). After deciding to use siteground.com as the freeware hosting supplier for the course (they offer 3 months’ free service for students) I then moved cisy222.us over to siteground.
In order to move the domain over to siteground, I had to change the authoritative nameservers to siteground (common limitation on low-end hosting), and that generated a routine alert message from the registrar.
So far, so good.
Then came the phish, a day later. Disguised as a status alert message from the registrar, this suggested that the nameservers were being changed for a different (but related) domain: cisy222.net. Yikes! So I went and signed in to the registrar (not using the convenient link in the email) and everything looked fine.
So I went back and studied the email a bit.
It was a phish.
But well-executed, Russian in origin, reasonably convincing, and I could see it being successful in many cases.
Don’t ever ever EVER click the link in an email without careful study first.